Exchange 2010 Certificate error The Certificate Status could not be determined because the revocation check failed

This guide is for a Lab environment scenario where we have Exchange 2010 setup and we need a certificate to make OWA / Autodiscover work in Lab.
When we Install a RootCA (standalone) and generate a certificate for our use initially it works without issues until the certificate is imported in Exchange and get the error “The Certificate status could not be determined because the revocation check failed”
Image-0165
This happens coz of CRL Distribution Point URL, which are configured under the CA server properties / Extensions tab and Certificate Revocation settings.

This is the default settings for “Extensions” on Root CA server. (screenshots taken from a another Server)

imageimage
imageimage

This is the default settings for CRL on Root CA server. Right click “Revoked Certificates” Node and select properties.
imageimage

Lets change these values to work for us.
1st Step, we will set the Configuration Naming Context which will be used in the CRL path.
Start Command Prompt (CMD) and run the following 1 line commad:

certutil –setreg CA\DSConfigDN CN=Configuration,DC=vhomelab,DC=com

Replace DC=vhomelab,DC=com to your domain name.

2nd step, we will change the settings under “Extensions” tab.
Image-0184Image-0185

Image-0186Image-0187
3rd Step, change settings under “Revoked Certificates” properties.
Image-0188
Now, restart the certificate service.

Again right click “Revoked Certificates” and select “Publish” from “Tasks”
This will publish the new CRL with the changes that we made.

Now, go to the Domain Controller and browse the Certificate server using browser (http://YourRootCA/certsrv) and download “CA Certificate” and CRL. (save it on C:\)
Image-0171

From CMD, execute 2 commands: Certutil –addstore –f Root RootCert.cer and Certutil –addstore –f Root RootCRL.crl
Image-0192

This will add Root Certificate and CRL to trusted Root Certificate on DC.
Image-0191Image-0193
Now we will publish the Root Certificate and CRL to AD DS using commands as follows.

Certutil –dspublish –f RootCert.cer RootCA

and

Certutil –dspublish –f RootCRL.crl

Image-0194Image-0195

 

Now, generate a certificate request from from Exchange Management Shell. (you can use GUI as well)
New-ExchangeCertificate -FriendlyName ‘Ex2010-Cert03’ -GenerateRequest -PrivateKeyExportable $true -KeySize ‘2048’ -SubjectName ‘C=BH,S=”State”,L=”City”,O=”vHomelab”,OU=”IT”,CN=mail.vhomelab.com’ -DomainName ‘cas-a.vhomelab.com’,’mail.vhomelab.com’,’vhomelab.com’,’autodiscover.vhomelab.com’ -Server ‘CAS-A’
Image-0196

Request from a certificate.
Image-0197

Complete the certificate request in Exchange Management console.
Image-0198
And, Done!.
Image-0199
If you check the certificate by double clicking it, and under details, see the CRL distribution points,
1st, the command that we ran for Configuration Naming Context, that was to get the CRL path configured properly as shown below.
Image-0200

Hope this has helped you in some ways.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s